(►- 



& G AO 

^ 

Washington. DC 20518 



November 30. 2007 



Hie Honorable Robert C. Byrd 
Chairman 

The Honorable Thad Cochran 
Ranking Member 

Subcommittee on Homeland Security 
Committee on Appropriations 
United States Senate 



n* Honorable David Price 
Chairman 

Hie Honorable Harold Rogers 



Subcommittee on Homeland Security 
Committee on Appropriations 
House of Representatives 



Subject- Transportation Security Administration's Processes for Designating and 
Releasing Sensitive Security Information 

Since tire September 11, 2001, terrorist attacks, federal agencies liave faced the challenge or 
protecting sensitive information Dorn terrorists and others without a need to know wliile 
sharing this Information with parties who are determined to have such a need. One form of 
protection Involves identifying and marking such Information sensitive but unclassified — 
Information that Is generally restricted from public disclosure but not designated as classified 
national security information. 

As part of post-September 1 1 efforts to belter share information critical to homeland 
protection, sensitive but unclassified information baa undergone scrutiny by Congress and 
GAO. In March 2006, vre reported results from our survey of 26 federal agencies, from which 
we found tliat meet of tire agencies lacked policies and procedures for designating and 
releasing sensitive but unclassified Information. As a result we recommended 
govemmenlwlde implementation of (1) guidance for determining what Information should be 
protected with sensitive but unclassified designations, ( 2 ) provisions for training on making 
designations and for controlling and diartng Information with other entitles, and (3> a review 
process to determine how well lire program Is working. 1 



1 GAO. Information Sharing: The Federal Government Needs to Estabiish Policies and Procases for 
Staring Terrorism rrialcd and Smsltiee but Undassftied Information. GA0063SS {Wadiinglon, 
D.C-Mar. 17,2006). 
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Security 



TIm- Department or Homeland Security's (DHS) Transportation Security Administration 
(TSA) requires tliat certain Information be protected from public disclosure as part of its 
responsibility for securing all modes of transportation. TSA. through Us autliority to protect 
information as sensitive security information (SSI), prolilblts the public disclosure of 
Information obtained or developed in the conduct of security activities that, for example, 
would be detrimental to transportation security. According to TSA, SSI may be generated by 
TSA, other DHS agencies, airports, aircraft operators, and otlier regulated parties when they, 
for example, establish or Implement security programs or create documentation to address 
security requirements. 



In February 2006. TSA established Us SSI office to develop and Implement TSA policies 
concerning the handling, training, and protection of such information. Through tills office, 
TSA lias established regulations tliat allow for the sharing of SSI with covered persons having 
a need to know — Including airport and aircraft operators, foreign vessel owners, and TSA 
employees' If. liowever, persons who do not otherwise have a need to know request access 
to SSI, TSA may share or release such Information if it determines the information no longer 
requires protection as SSI. Also, in tlie course of a civil proceeding, a requesting party or tlie 
patty's attorney may be granted access to SSI after being cleared through a background 
clieck. This Is permissible If the party has established that it lias a substantial need for 
relevant SSI and tliat It Is unable, without undue hardship, to obtain tlie substantial equivalent 
by oilier means. Furthermore, TSA or the Judge In the civil proceeding must determine tliat 
the sensitivity of tlie information at Issue does not present a risk of harm to the nation. 

Congress lias had ongoing Interest In whether TSA Is consistently and appropriately 
designating information as SSI and balancing tlie trade-off between the need to protect SSI 
and tlie need to provide useful information to the public. Section 525 of the DHS 
Appropriations Act. 2007 (Public Law 109-296), required the Secretary of DHS to revise 
Management Directive (MD) 1 1066, which establislies DHS policy regarding the recognition. 
Identification, and safeguarding of SSI. to (1) review requests to publicly release SSI In a 
timely manner and establish criteria for tlie release of Information that no longer requires 
safeguarding (2) release certain SSI that Is 3 years old, upon request, unless it Is determined 
the Information must remain SSI or Is otlierwlse exempt from disclosure under applicable 
law; and (3) provide common and extensive examples of tlie 16 categories of SSI (see app. I 
for a list of tlie categories) to minimize and standardize judgment by persons Identifying 
Information as SSI.* Tlie law fUrtlier prescribed steps tliat must be taken during the course of 
a civil proceeding In tlie US. District Courts to provide a party with access to relevant SSL 
nils provision also required us to report to the Committees on Appropriately of tlie Senate 
and House of Representatives on DHS's progress and procedures In implementing these 
requirements not later tiian 1 year from the date of the law’s enactment (October 4, 2006). 

In addition to answ ering tills mandate, we are following up on a June 2005 report In which we 
recommended that DHS direct the Administrator of TSA to establish (1) guidance and 
procedures for using TSA regulations to determine what constitutes SSI. (2) responsibility for 
the identification and determination of SSL (3) policies and procedures within TSA for 



' 'Covered person" B defined at 49 C.F.R 4 153X7 and includes persons permanently or temporarily 
assigned, attached, or detailed to, employed by, or under contract with DHS. Section 153). 1 1 
establishes the circumstances under which a person has a need to know SSL such as when a person 
requires access to specific SSI to carry out transportation security activities approved, accepted, 
funded, recommended, or directed by DHS or the Department of Trimspottation. 

' See Pub. L No 109295. § 525, 120 Stat. 1356, 1381-32 (2006). 
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I* * ovldlng training to Ilnur making SSI defcnnlnaOaus. and (4) Internal controls" tliat define 
responsibilities for monitoring compliance wktli SSI regulations, policies, and procedures and 
communicate there responsibilities throughout T8A." 

To respond to tlie mandate and update the status of all four of our recommendations, we 
assessed DHS's 



• status In establishing criteria and examples for Identifying SSI; 

• efforts in providing training to those tliat Identify' and designate SSL 

• processes for responding to requests to release SSL Including the legislative mandate 
to review various types of requests to release SSI; and 

• efforts in establishing Internal controls tliat define responsibilities for monitoring SSI 
policies and procedures. 

To address these objectives, we reviewed applicable DHS management directives, policies 
and procedures, and oilier related documents, and Interviewed TSA and DHS officiate 
involved In, the SSI designation, training, document review, and oversight processes. Wliiie 
our review focused on the policies and procedures developed by TSA, we also Uiterviewed 
officials Involved In tlie SSI designation, training, document review, and oversight processes 
for four other DHS components to better understand the use ofSSl tluougliout DHS. We 
compared tlie Internal controls In place with tlie standards for intenud control In tlie federal 
government to determine wlietlier TSA's Internal controls are designed to provide reasonable 
assurance tliat monitoring exists to help ensure compliance with SSI regulations, policies 
and procedures." We also used as criteria GAOdeveloped core characteristics of a strategic 
training program to assess wlietlier TSA has created and Implemented tlie training necessary 
for staff to make SSI determinations 1 We determined dial tlie data were sufficiently reliable 
for tlie purposes of our review. We based our decision on an assessment of existing 
documentation on program operations and Interviews with knowledgeable officials about the 
source of tlie data and ISA’s policies and procedures for collecting and maintaining tlie data. 

On 0clc4>er 4, 2007, we provided a copy of our briefing slides to your staff. Tills report 
conveys tlie Information that was provided In these slides 
(see app. 1 ). 

We conducted our work from May 20CT7 ti trough October 2007 In accordance with generally 
accepted government auditing standards. 



4 Internal control is an integral component of an organization's management that provides reasonable 
assurance that the following objectives are achieved: ( 1 ) effectiveness and cffioency of operations, ( 2 ) 
reliability of financial reporting, and (3) compliance with applicable laws and regulations. 

* See GAOOW77, Transportation Scarify Administration ; Clear Policies and OxmighS Needed for 
Sensitive Security Information (Washington, DC.: June 29. 2005). 

4 GAO. Standards for Internal Control in the Federal Government, GA0/AIMD0021.& 1 (Washington. 
D.C- November 19*0). 

* GAO. A Guide for Assessing Strategic Training and Development Efforts in the Federal 
Goiemment . GAO04 646G (Washington. D.C.: March 2D04). 
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Results 



DHS. primarily through ISA’s SSI Office, lias addressed all of the legislative mandates from 
the DHS Appropriations Act, 2007, and taken actions to satisfy ail of the recommendations 
from our June 2005 report. 

DHS revised Its MD to address the need for updating SSI guidance, and TSA has established 
more extensive SSI criteria and examples tliat respond to rejuirements In the DHS 
Appropriations Act, 2007. and our 20US recommendation that TSA establish guidance and 
procedures for using TSA regulations to determine what constitutes SSI. Further. TSA lias 
documented the criteria and examples In various publications to serve as guidance for 
identifying and designating SSI. TSA lias also shared its documentation of the criteria and 
examples with oilier DHS agencies. For example, the U.S. Coast Guard and U.S Customs and 
Border Protection eltlier liave developed or are In the process of developing their own SSI 
examples to correspond with the types of SSI that their agencies encounter. Additionally, 
officials we Interviewed from other DHS components have recognized opportunities to adapt 
TSA’s criteria to their offices' unique needs. Furthermore, TSA lias appointed SSI 
coordinators at all program offices to. among other things. Implement SSI determination 
policy. This action responds to our 2006 recommendation that TSA establish responsibility 
for Identifying and determining SSI. 

TSA’s SSI Office Is In the process of providing SSI training to all or TSA’s employees and 
contractors In accordance with Us recently established policies and procedures, an action 
that responds to our 35(6 recommendation. The office uses a “train tlie trainer* program In 
which it Instructs SSI program managers and coordinators who are tlien expected to train 
appropriate staff In their respective agencies and programs. Sev eral aspects of the SSI 
training program that we evaluated are consistent with GAO-ldentlOed components of a 
strategic training program. ISA has taken actions to Incorporate stakeholder feedback and 
establish policies to collect data to evaluate its training program and foster a culture of 
continuous Improvement For example, the SSI Office assesses the accuracy of the 
designations made by various DHS agencies and contacts the agencies, when necessary, to 
correct any problems. Additionally, TSA lias taken action to coordinate training activities 
wltliin and among DHS agencies. For Instance, tlie SSI Office shares Its guidance with otl>er 
DHS components so that program managers can create customized training programs that 
wlU meet the needs of tlielr staff. 

Consistent with tlie legislative mandate, DHS lias taken actions to update its processes to 
respond to requests to release SSI. Specifically. DHS revised MD 1 1056 In accordance with 
the DHS Appropriations Act, 2007, to Incorporate a provision thal all requests to publicly 
release SSI will be reviewed in a timely manner, Including SSI that Is at least 3 years old. 
Between February 2006 and January 2007, the SSI Office received 190 requests to review- 
records pertaining lo tlie release of SSI, the majority of which came from government entitles 
(62 percent). Tlie SSI Office worked with the requesting government entity to agree upon a 
time frame for processing the request Within tlie same 12-month period, 30 percent of 
requests were Initiated by the public under the Freedom of Information Act (FOIA). 1 The SSI 
Office has established a process for reviewing Information requested through the FX>1A 
process in 5 days, unless tlie Information consists of more titan 100 pages. Tlie remaining 8 
percent of requests wltliin tlie 12 -montli period came from Individuals In connection with 
litigation. Including civil proceedings wltliin the U.S. District Courts. According to TSA 



’ The Freedom of Information Act is the primary process for releasing information to (and for 
withholding information from) information to the public, as appropriate. See 5 US.C. 1 662 SSI, by 
statute. Is exempt from disclosure under FOIA. 
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parties have sought SSI In nine civil proceedings since tlie enactment of the DHS 
Appropriations Act, 2007, In October 2006. In one such proceeding, the litigant requested that 
TSA make a final determination on the request for access to SSL TSA. in accordance with the 
law, made a final determination in wliich it released some of tlie requested SSI but wltld»eld 
other SSI because of the sensitivity of the information or because 11 was not relevant to the 
litigation. ISA’s SSI Office stated that all information dial is at least 3 years old that does not 
warrant continued protection as SSI is released U|»on request. The SSI Office uses a 
controlled access database to document the completion of its steje in reviewing requests to 
release SSL which serves as a quality control mechanism. 

'fire Internal controls tliat TSA designed foe SSI are consistent with govermnentwlde 
requirements and respond to our 2005 recommendation For example, standards for internal 
controls In the federal government state tliat areas of authority and responsibility be clearly 
defined by a supportive management structure and tlut controls be hi place to ensure tied 
management's directives are carried out. Hie revised DHS ML' 11056 outlined areas of 
authority for tlie monitoring of and compliance with SSI policy. Further, the MD establi&lied 
managers and coordinators wltliln DHS agencies and programs, respectively, to communicate 
SSI responsibilities to DHS staff. Standards for Internal controls in the federal government 
also call for monitoring activities to assess the quality of program performance over Ume and 
ensure tliat problems raised during quality reviews are promptly resolved. TSA program 
managers and coordinators are required to periodically complete self-inspecUcms cm tlie use 
of SSI for their respective office or agency. 

Agency Comments 

We provided a draft of this report to DHS for review and comment. DHS did not submit any 
formal comments However, TSA provided tedinlcal comments and clarifications, which we 
Incorporated, as appropriate. 



We are sending copies of this report to other interested congressional committees and to the 
Secretary of the Department of Homeland Security and the Administrator of tlie 
Transportation Security Administration. We will also make copies available to otliers upon 
request In addition, tlie report will be available at no charge on GAO’s Web site at 

lUtm/Av ww.gao.gov. 

If you or your staff have any questions concerning this report, please contact me at (202) 
512-5510 or by e-mail at Larencegg'gao gov . Contact points for our Offices of Congressional 
Relations and Public Affairs may be found on tlie last page of this report. Key contributors to 
tills report were Glenn Davis, Assistant Director; Brian Sklar; Nicole Harris Thomas 
Lombardi; Katherine Davis Carolyn Ikeda; and Mldiele Fejfar. 




Eileen K. Lumen. Director 
Homeland Security and 
Justice Ltoues 



Enclosure 
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Information for Congressional Committees 




Transportation Security Administration’s 
(TSA) Processes for Designating and 
Releasing Sensitive Security Information 

(SSI) 



Briefing to the 
Appropriations Committees 
October 4, 2007 




Introduction 



After the terrorist attacks c 4 September 11. 2001. the Aviation and 
Transportation Security Act <ATSA) *as enacted cn Nwember 1€ 
2001. with the primary goal o i strengthening the security of fie 
natoris aviation system; 



ATSA created TSA as the agency responsible fa the security oi ail 
modes of transportation and extended most civil aviaton security 



espcnsibilf.es. including authority to dessjrete Senabve Security 
nformatoa from the Federal Aviation Admnistratioo (FAA) to TSA; 



TSA's SSI auttoriy « codfied at 49 U.S.C. § 114(a) and its 
regiialkms are eodtftod at 49 C.F-R. part 1520. 
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Introduction 



• TSA. tirooch Its SSI auttorty. prohfcds tr>o pubic dnctoeuro o 4 mlormatco 
cttawfl or developed In tho oorvduc* erf security aettabos that would bo 
dotrtmorrtal to fransportatton securiy. 




SSI ropulabore alow ter tr>o shartog of SSJ wJti ccvored persons havry; 
nood to m^-rcludrg arrpert operators, arcratt operators, fcroton vos* 
cwnors. TSA orrptoyoOs. and othor porsors. 1 



• Acoortitog to TSA, satoguandng intormidofi as SSl alkr* s ccrJrolod 
intormat*n shoring wth covered parsers to moot TSA' 5 mssion to proton 
tho natco’s tranoportabon systems. 
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Introduction 



• There is ongoing congressional interest in whether TSA is applying 
the SSI criteria consistently and appropriately and balancing the 
tradeoff between the need to protect SSI and the need to provide 
useful information to the public. 

• One example of an instance is when an indMdual rright seek SSI in 
comecton wtth a civil proceeding in a U.S. Distrfct Court. TSA wil 
make an initial determination on whether the party has a substantial 
need for any of the specific SSI to whch access is sought and 
whether the sensft**y of the issue is such that any provisions of 
access would present a risk of harm to the naton. 
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Introduction 



to Jure 2C05.* wx> 
to ostattist): 



nat DM3 erect the Admnotratcf of TSA 



► guklar>:e ar*3 



ro-s tor l«i> 3 TSA rotations to d<rtormir>o afcat 



reapers fc< I *y for tho lOentttfcatton and 



of SSI; 



• kes ** 



tothoao 



imorraJ arfrols that deAno rosperatoinea tor nxcitorng complanco 
atth SSI regiilattons. pctelos. arvd procoduroa and communKato ttvoao 
rospccafcd&os thrcuctajt TSA 
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Scope and Methodology 



To address the objective® we: 



• reviewed applicable DHS management directives, 
policies and procedures, and other documents related to 
SSI designation, training, document review, and the 
oversight process, and 



interviewed TSA and DHS offoials involved in the SSI 
designation, training, document review, and oversight 
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Results In Brief 




• DKS reused ftMDto crt* ess tho nood tor SSI crtorta and axarrpOs 
In accordance wtth tho law. 

• TSA has shared Its dxurrortnbon of SSI crtfcna and oxat^os with 
other DHS aporcee to help tnom toontfy and dospnafio SSI.* 

• OttcWrfs wo Wo mowed Ircrr OHS aponaos that wort; v*th c< penorat© 
SSI prcrtxts stated that txry havo dovotepod. c* are m tho process of 
dovofc£4ng. thofr <ync\ SSI ©xomptos to correspond wttn ino t^pos of 
SSI that their agercos on counter. 
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Results In Brief (cont’d) 



TSA ha* policies and procedures to respond lo all three types of SSI 
requests, and a mechanism Is In place to document Ita processes: 

• Tho SSI OttKo hoe a procedure n p4aoo lo respond to requests from 
povorrment erfttlos. 1-0 Arelatod reqjosts. and requests rtocrmr; 
from cMI proceedings. 

• TSA plans to popish a Nobco of Proposed Rutomaking to artJcutato 
tho process for prortdtog SSI to pertos In cccnecdon otth cfvi 
proceedings In U.S. Datnct Courts. 

• Tho SSI Ottvro has a process fee record rg rts stops ohon rmicetng 
requests to rdoaso SSl that servos as a qoalty ccrfrol mechanism. 



14 
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Objective #2-Training for Those Who 
Generate and Use SSI 



• Ai though the SSI C*fc:o proAdos faring to all SSI program rronagors and 
cccrdrutecs from the OHS a>g*o:ios that uso cr go no rtf© SSI. the program 
managor from oach OHS agency that hard os SSl is rosponsfclo lor 
customizing and evaluating the sulhdency at his cr hor SSI traring to meet 
the agofKy s unique program reeds. 

• The SSI Crtce as utttavg a train the trainer' model r\ wtich It trains SSI 
program managors and coordinators aho aro fr>on exported to tailor the 
materials to tran the apcropnalo statl h ther agonry or crico. 
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Objective #2-Training for Those Who 
Generate and Use SSI 




fo? treking is actoovng its me sera and goals, and cccrdncto wftun and 
among agonaec to achevo octonom&s of scalo. 



rho creator* of too OHS SSI Ovoretoht CommfBee provtoos a 
rnochanam for r.teragoncy coordination. 



• Tho SSI Ottvco share* Its 3J dance with other OHS ccnpxtonts so 
that program manager! can c recto customized treating proyams tnal 
all rrcct tho needs of thetr stall. 



Accord n o 



TSA otters. add^craJ lundmg woutt alow the SSI 
too moro tranrg and to create a natccvai contorenco for 




Paue 16 



GAO-08-232R Transportation Security Administration 











Pale 17 



GAO-0&-232R Tnu»portation Security Administration 















A GAO 

Objective #3-Requests for SSI through the 
Freedom of Information Act 

• Tho SSI Ottoo has established a po:oss tor rettcatng rformaton 
requested thrcv^ tho FOIA process fen 5 days. urioss tho request contains 
rwo than 100 papes. 

• Tho SSI CMco and FOIA Cttfeco cccrdrvato to ostaHfesh deedfenos tor FOA 
roquosts that ccrtan mor© than tOO panes 

• Officials from tho TSA FOfA Otteo staled that tho SSI Crtce roe poods to 
FCXA roquosts in a time?’/ rronner. 

• Tho SSI Cttfeco has pcovidod traring to the department's FOtA Ota© staff 
mocTbors so that they can mako basic dotormnattons cn whethor a FOA 
request inckjdo SSI. 
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Objective #3-Requests for SSI during Civil 
Proceedings 




ITMte H MVKtCd cM pXMMQi 



irf r\ite L«t TSAddtcl 

m hm ft rtfi to tocw. 



KCMI I 

T3A <»J ntnl SCI 



to cnn tof to 
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Objective #3-SSI Office Efforts to Establish Quality 
Controls for Responding to SSI Requests 
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Attachment #1 -Categories of SSI as 
Established by TSA at 49 C.F.R. § 1520.5(b) 




2- um-M, Jt***m; 10. MOift, rrtfMfa. 

3 “' nu " 




Attachment #2-SSI Office’s Nine-Step Process 
for Reviewing Document Requests 15 




(440627) 
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GAO’s Mission 


The Government Accountability Office, tl«e audit, evaluation, and 
investigative aim of Congress, exists to support Congress In meeting As 
constitutional responsibilities and to help improve the performance and 
accountability of the federal government for Hie American people. GAO 
examines the use of public funds; evaluates federal programs and policies; 
and provides analyses, recommendations, and other assistance to help 
Congress make informed oversight, policy, and funding decisions. GAOS 
commitment to good government is reflected in its core values of 
accountability, integrity, and reliability. 


Obtaining Copies of 
GAO Reports and 
Testimony 


The fastest and easiest way to obtain copies of GAO documents at no cost 
is through GAO’s Web site (www.gao.gov). Each weekday. GAO posts 
newly released reports, testimony, and correspondence on Us Web site. To 
have GAO e-inali you a list of newly posted products every afternoon, go 
to www.gao.gov and select 'E-mail Updates.* 


Order by Mail or Phone 


The fust copy of each punted report is free. Additional copies are $2 each 
A check or money order should be made out to the Superintendent of 
Documents. GAO also accepts VISA and Mastercard. Orders for 100 or 
more copies mailed to a single address are discounted 25 percent Orders 
should be sent to: 

US. Government Accountability Offlce 
•Ml G Street NW. Room LM 
Waslilngton. DC 20518 

To aider by Phone: Voice; (202)512-6000 
TDD: (202)512-2637 

Pax: (202) 5121061 


To Report Fraud, 
Waste, and Abuse in 
Federal Programs 


Contact- 

Web site: www.gfrO.gov/fraudnetffiaudnethtni 
E-mail: fraudnetegao.gov 

Automated answering system (800) 424-6154 or (202) 512-7470 


Congressional 

Relations 


Gloria Jarman. Managing Director, Jannongegao.gov, (202) 512-MOO 
U.S. Government Accountability Office, 441 G Sueet NW, Room 7125 
Waslilngton. DC 20518 


Public Affairs 


Chuck Young, Acting Manager. youngcl'Jgaogov, (202) 512-4800 
U.S. Government Accountability Office, 141 G Street NW. Room 7149 
Waslilngton. DC 20618 



